Scholarship@Vanderbilt Law
Vanderbilt Law School Faculty Publications
Faculty Scholarship
5-14-2019
The Law of Genetic Privacy: Applications,
Implications, and Limitations
Ellen Wright Clayton
Barbara J. Evans
Univ. of Houston
James W. Hazel
Vanderbilt University Medical Center
Mark A. Rothstein
Univ. of Louisville, School of Medicine
Follow this and additional works at:
https://scholarship.law.vanderbilt.edu/faculty-publications
Part of the
Medical Jurisprudence Commons
, and the
Privacy Law Commons
This Article is brought to you for free and open access by the Faculty Scholarship at Scholarship@Vanderbilt Law. It has been accepted for inclusion in Vanderbilt Law School Faculty Publications by an authorized administrator of Scholarship@Vanderbilt Law. For more information, please contact [email protected].
Recommended Citation
Ellen Wright Clayton, Barbara J. Evans, James W. Hazel, and Mark A. Rothstein,The Law of Genetic Privacy: Applications, Implications, and LimitationsJournal of Law and the Biosciences. 1-36 (2019)
Advance Access Publication 0 2019 Original Article
The law of genetic privacy: applications,
implications, and limitations
Ellen Wright Clayton
1, Barbara J. Evans
2, James W. Hazel
3and Mark A. Rothstein
4,∗1. Craig-Weaver Professor of Pediatrics, Center for Biomedical Ethics and Society, Vanderbilt University Medical Center, Nashville, TN 37203, USA
2. Mary Ann and Lawrence E. Faust Professor of Law; Professor of Electrical and Computer Engineering; Director, Center for Biotechnology & Law, University of Houston, Houston, TX 77004, USA 3. Postdoctoral Fellow, Center for Genetic Privacy and Identity in Community Settings, Vanderbilt University
Medical Center, Nashville, TN 37203, USA
4. Herbert F. Boehl Chair of Law and Medicine, Director, Institute for Bioethics, Health Policy & Law, University of Louisville School of Medicine, Louisville, KY 40202, USA
∗Corresponding author. E-mail:[email protected]
ABSTR ACT
Recent advances in technology have significantly improved the accuracy of genetic testing and analysis, and substantially reduced its cost, resulting in a dramatic increase in the amount of genetic information generated, analysed, shared, and stored by diverse individuals and entities. Given the diversity of actors and their interests, coupled with the wide variety of ways genetic data are held, it has been difficult to develop broadly applicable legal principles for genetic privacy. This article examines the current landscape of genetic privacy to identify the roles that the law does or should play, with a focus on federal statutes and regulations, including the Health Insurance Portabil-ity and AccountabilPortabil-ity Act (HIPAA) and the Genetic Information Nondcrimination Act (GINA). After considering the many contexts in which is-sues of genetic privacy arise, the article concludes that few, if any, applicable legal doctrines or enactments provide adequate protection or meaningful control to individuals over disclosures that may affect them. The article de-scribes why it may be time to shift attention from attempting to control ac-cess to genetic information to considering the more challenging question of how these data can be used and under what conditions, explicitly addressing trade-offs between individual and social goods in numerous applications.
K E Y W O R D S:DNA, genetics, genomics, GINA, HIPAA, privacy
C
The Author(s) 2019. Published by Oxford University Press on behalf of Duke University School of Law, Harvard Law School, Oxford University Press, and Stanford Law School. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited
I. INTRODUCTION
People often view genetic information about themselves as private. Each person’s genome, or full complement of DNA, is unique,1but the specific variants within an individual’s genome may be widely shared with biological relatives or even across the entire human population. This mixed character of the genome—as a uniquely indi-vidual assemblage of widely shared common elements—imbues it with a dual pri-vate and public significance that confounds any discussion of policy addressing genetic privacy.
On one hand, DNA has been conceptualized as a unique identifier2and a person’s book of life,3which provides insights into many aspects of the person’s future, although
perhaps not as much as many people might think. This conceptualization leads many people to want to control who has access to genetic information about them and drives calls for strong privacy protection or even personal genetic data ownership. On the other hand, genetic data are not limited to one individual, with information about one person revealing information about the person’s close and distant biological relatives. Only by studying genetic information from many people can the significance of the in-dividual’s variants be discerned. The importance of understanding the causes of health and disease has led some to argue that people have some obligation to share data about themselves for low-risk research.4This public nature and value of the genome makes
it difficult to decide what level of control individuals should have and how to provide appropriate privacy protections.
At the same time, the very concept of ‘privacy’ has evolved in recent decades and a new model of privacy has gained ground. The traditional view of privacy as secrecy or concealment—as a ‘right to be let alone’5—has grown increasingly strained in the Information Age. The Internet and ubiquitous communication technologies facilitate broad sharing of information, including highly personal information, often without the individual’s knowledge or consent.6 A new theorization of privacy has emerged, in which concealing one’s secrets ‘is less relevant than being in control of the dis-tribution and use by others’7 of the data people generate in the course of seeking
healthcare, conducting consumer transactions, and going about their lives. ‘The leading paradigm on the Internet and in the “real,”’ or off-line world, conceives of privacy as a
1 Even the genomes of monozygotic (‘identical’) twins often differ in some ways. See, eg F. Nipa Haque,
Irving I. Gottesman & Albert H.C. Wong,Not Really Identical: Epigenetic Differences in Monozygotic Twins and Implications for Twin Studies in Psychiatry, 151C AM. J. MED. GENETICSPARTC SEMIN. MED. GENETICS
136 (2009).
2 Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden,
Delay, and Ambiguity for Investigators, 76 Fed. Reg. 143 (proposed July 26, 2011) (to be codified at 45 C.F.R. pts. 46, 160, 164; 21 C.F.R. pts. 50, 56).
3 FRANCISS. COLLINS, THELANGUAGE OFLIFE: DNAAND THEREVOLUTION INPERSONALIZEDMEDICINE(2010). 4 Ruth R. Faden et al.,An Ethics Framework for a Learning Healthcare System: A Departure from Traditional
Research Ethics and Clinical Ethics, 43 HASTINGSCTR. REP. S16, S23 (2013).
5 Samuel D. Warren & Louis D. Brandeis,The Right to Privacy, 4 HARV. L. REV. 193, 193 (1890).
6 Vera Bergelson,It’s Personal but Is It Mine? Toward Property Rights in Personal Information, 37 U.C. DAVISL.
REV. 379, 401–2 (2003); Daniel J. Solove,Conceptualizing Privacy, 90 CALIF. L. REV. 1087, 1092–1126 (2002).
7 Bergelson,supranote 6, at 401 [quoting RAYMONDT. NIMMER, THELAW OFCOMPUTERTECHNOLOGY¶
16.02, at 16-5 (2001)].
personal right to control the use of one’s data’,8including enjoying access and using it by oneself.9
Deciding how much control people should have over access to and use of genetic data about themselves has taken on increased urgency in recent years. Until recently, there simply was less genetic information to worry about, because a person’s genetic makeup could be inferred only by studying his or her phenotypic characteristics and family history. It was possible, for example, to tell something about people’s eye color genes by looking at their eyes, but not whether they had a gene variant that modestly elevated their cholesterol level or whether they were at increased risk of developing a common complex disorder.
Dramatic advances in technology has now made it possible to examine DNA directly with increasing accuracy and decreasing cost, thereby contributing to the dramatic growth in genome-based approaches, such as exome- or genome-based sequencing, which can provide dramatically more information than single-gene tests. These genomic tests have already proven valuable in diagnosing disorders whose etiol-ogy is unknown, as can be the case for some children with developmental disability or critical illness as neonates.10There is also growing interest in using genome-scale tests to answer narrower clinical questions on the ground that these approaches are more efficient than testing a more limited number of genes.11But moving to genome-based
technologies has consequences for an individual’s privacy because having genomic data makes it possible to examine all the genetic variants regardless of the original reason for testing.
As this technology and our understanding of genomics have improved, a growing number of individuals and entities seek access to individual genetic information. For example, millions of people have pursued testing to learn about their ancestry and to identify previously unknown relatives, endeavors that require access to the informa-tion of others as well as their own. In addiinforma-tion, clinicians might seek the data to refine a patient’s diagnosis or care. Biomedical researchers might want to examine genetic infor-mation to understand the ways that genetic variation contributes to health and disease. Life insurers might want to use this information for underwriting. Parties in toxic tort cases might try to use this information to establish or rebut causation. Law enforce-ment might want to use the information to identify victims of mass attacks or criminal suspects.
Numerous studies show that many people are more comfortable sharing their ge-netic data with physicians and researchers in the institution where they seek care than
8 Paul M. Schwartz,Internet Privacy and the State, 32 CONN. L. REV. 815, 820 (2000).
9 See, eg U.S. Dep’t of Health and Human Servs.,Standards for Privacy of Individually Identifiable Health
Infor-mation, 65 FED. REG. 82,462, 82,606 (Dec. 28, 2000) (noting, in the preamble to the original HIPAA Privacy Rule, that various industry and standard-setting organizations have recognized the need for individual access, stating that, ‘Patients’ confidence in the protection of their information requires that they have the means to know what is contained in their records’).
10 Laurie D. Smith, Laurel K. Willig & Stephen F. Kingsmore,Whole-Exome Sequencing and Whole-Genome
Se-quencing in Critically Ill Neonates Suspected to Have Single-Gene Disorders, 6 COLDSPRINGHARBORPERSP. MED.
2 (2016).
11 Jonathan S. Berg, Muin J. Khoury & James P. Evans,Deploying Whole Genome Sequencing in Clinical Practice
and Public Health: Meeting the Challenge One Bin at a Time, 13 GENETICSMED. 499 (2011)
with the government or commercial entities.12People also vary widely in how much they are concerned about genetic privacy13and privacy in general.14
Given the diversity of actors and their interests, the increasing power of genetic technologies, and the wide variety of ways these data are held, it is difficult to develop broadly applicable legal principles for genetic privacy. As has been true since the earliest debates about genetic privacy, which began decades ago,15public policy often involves
balancing the rights of individuals to maintain the privacy of their genetic information with the rights of other individuals and the public to access the information. The trade-offs often implicate both personal and societal interests, which vary depending on the context. Whether the state can conduct newborn screening for genetic disorders raises different questions from whether an insurer can use genetic information for underwrit-ing health, life, disability, or long-term care insurance, each of which presents its own challenges. In addition, the wide variety of actors and locations are subject to different regulatory schemes.
This article examines the landscape of genetic privacy to identify the roles the law does or should play. Because of the complexity of genetic privacy law, it is infeasible to address all of the issues in a single article. Consequently, the article does not address in detail genetic privacy in reproductive genetic testing,16human subjects research
in-volving genetics, state statutes and regulations pertaining to genetic privacy, and com-mon law actions for invasion of privacy. The article’s primary focus is on federal statutes and regulations. After considering the many contexts in which issues of genetic privacy arise, the article concludes that few, if any, applicable legal doctrines or enactments pro-vide adequate protection. For simplicity, and to acknowledge the deep roots of these debates, the article refers to ‘genetic’ privacy, but it clearly contemplates and gives spe-cial attention to the implications of the expanding role of genomics and associated technologies.
II. CONCEPTIONS OF GENETIC PRIVACY
II.A. Dimensions of Genetic Privacy
In order to understand genetic privacy, it is necessary first to delve into the complex concept of privacy.17Privacy is a state of limited access to an individual or information
12 Nanibaa’A. Garrison et al.,A Systematic Literature Review of Individuals’ Perspectives on Broad Consent and
Data Sharing in the United States, 18 GENETICSMED. 663, 668–9 (2016); C. Sanderson et al.,Public Attitudes Toward Consent and Data Sharing in Biobank Research: A Large Multi-site Experimental Survey in the US, 100 AM. J. HUM. GENETICS414, 421 (2017).
13 Ellen W. Clayton et al.,A Systematic Literature Review of Individuals’ Perspectives on Privacy and Genetic
In-formation in the United States, PLOSONE,https://doi.org/10.1371/journal.pone.0204417(2018); Stacey Pereira et al.,Do Privacy and Security Regulations Need a Status Update? Perspectives from an Intergenerational Study, PLOSONE,https://doi.org/10.1371/journal.pone.0184525(2017).
14 Mary Madden, Public Perceptions of Privacy and Security in the Post-Snowden Era, PEW RES. CTR.,
http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/(2014).
15 PHILIPREILLY, GENETICS, LAW,ANDSOCIALPOLICY(1977); GENETICSECRETS: PROTECTINGPRIVACY AND
CONFIDENTIALITY IN THEGENOMICERA(Mark A. Rothstein ed., 1997).
16 For recent discussions, see Josephine Johnston, Ruth M.Farrell & Eric Parens,Supporting Women’s Autonomy
in Prenatal Testing,377 NEWENG. J. MED. 505 (2017); Ruth M. Farrell & Megan A. Allyse,Key Ethical Issues
in Prenatal Genetics,45 OBSTET. & GYNECOL. CLIN. 127 (2017).
17 Many other countries, especially those in the European Union, use the term ‘data protection’ as an omnibus
concept that includes privacy, confidentiality, security, and other elements. These concepts are at the heart of
about an individual.18The right to privacy refers to the ethical and legal principles that recognize the importance of limited access to an individual or information about an individual.
Anita Allen has proposed four categories of privacy applicable to what she terms ‘the ambiguous concept’ of genetic privacy.
When used to label issues that arise in contemporary bioethics and public policy, ‘privacy’ generally refers to one of four categories of concern. They are: (1) informational privacy concerns about access to personal information; (2) physical privacy concerns about ac-cess to persons and personal spaces; (3) decisional privacy concerns about governmental and other third-party interference with personal choices; and (4) proprietary privacy con-cerns about the appropriation and ownership of interests in human personality.19
Informational privacy is a particularly important dimension of genetic privacy, and it is the primary focus of this article. From the huge dataset that is every human’s genome to family pedigrees and genetic test results, genetics is closely associated with informa-tion. Genomics and related analytical approaches—such as proteomics, metabolomics, transcriptomics, and epigenomics—greatly increase the amount of potential gene-associated information about individuals. Often, genetic information is sensitive be-cause it has implications for the current and future health of individuals and their family members. The information may also have major social and economic consequences.20 Three other significant concepts within the realm of privacy and genetic privacy are confidentiality, security, and anonymity.21Confidentiality describes a situation in which information is disclosed within a trusting relationship (eg physician–patient) on the express or implied agreement that it will not be divulged to a third party without the permission of the source of the information.22Confidentiality, applicable to the
nondis-closure of genetic information,23is a foundational principle in the ethical codes of many health professions and a key element of a wide range of laws. The duty to protect confi-dentiality is not absolute; however, and in certain circumstances recognized by law or
the European Union’s General Data Protection Regulation, which took effect in 2018. General Data Protec-tion RegulaProtec-tion, 2018 O.J. (L 127),https://gdpr-info.eu(accessed Apr. 15, 2019). See generally Edward S. Dove,The EU General Data Protection Regulation: Implications for International Scientific Research in the Digital Era,46 J.L. MED. & ETHICS, 1013−30 (2018).
18 ‘Physical and informational privacy practices serve to limit observation and disclosure deemed inimical to
well-being’. Anita L. Allen,Privacy in Health Care,in4 ENCYCLOPEDIA OFBIOETHICS2067 (Warren Thomas Reich ed., 1995).
19 Anita L. Allen,Genetic Privacy: Emerging Concepts and Values,inGENETICSECRETS: PROTECTINGPRIVACY AND
CONFIDENTIALITY IN THEGENETICERA31, 33 (Mark A. Rothstein ed., 1997).
20 SeeinfraSection V.
21 See Bartha Maria Knoppers & Madelaine Saginur,The Babel of Genetic Data Terminology, 23 NATUREBIOTECH.
925, 925 (2005) (discussing the numerous terms used to describe measures to protect genetic information).
22 ‘Confidentiality concerns the communication of private and personal information from one person to another
where it is expected that the recipient of the information, such as a health professional, will not ordinarily dis-close the confidential information to third persons’. William J. Winslade,Confidentiality,in1 ENCYCLOPEDIA OFBIOETHICSat 452 (Warren Thomas Reich ed., 1995). See also Mark A. Rothstein,Confidentiality,inMEDI -CALETHICS: ANALYSIS OF THEISSUESRAISED BY THECODES, OPINIONS,ANDSTATEMENTS171 (Baruch A. Brody et al. eds., 2001).
23 For a further discussion, seeinfraSection III.
ethical codes, other interests may be paramount, such as the safety and health of third parties.24
Security, in the informational sense, is an increasingly important concept in the digi-tal age. It refers to a condition in which individuals or entities with appropriate authority to access certain information are granted access to it, but those without such author-ity are denied access. Securauthor-ity can be protected by various means, such as by training employees, adopting administrative procedures for handling sensitive information, and implementing technical access controls, including passwords and encryption.25
Anonymity is a form of privacy protection in which the identity of the source of cer-tain health information is not obcer-tained or is removed by researchers or other custodi-ans of the information. Anonymization, deidentification, and similar measures are fre-quently applied to genetic information in an effort to protect individual privacy while retaining the scientific value of the information. The use of anonymized genetic infor-mation raises two main concerns. First, technical methods may not be completely ef-fective in preventing the reidentification of genetic information.26 Second, there is a plausible argument that individuals’ interest in autonomy should afford them the op-portunity to learn about and to control the use of even their anonymized health infor-mation or biospecimens.27
No matter how people choose to define ‘privacy’, there is a widespread sentiment among legal and ethics scholars that existing privacy laws do not provide as much pri-vacy as many people expect or erroneously believe they have.28US federal privacy laws dating back to the early 1970s strike a balance that grants people some control over their data (through informed consent rights) while also allowing at least some unconsented collection and use of people’s data (including their genetic information) for various purposes that lawmakers consider socially beneficial.29 The ‘individual control’ these
laws provide is thus incomplete. In the 1970s, Congress commissioned a Privacy Pro-tection Study Commission (PPSC) to recommend appropriate privacy proPro-tections for
24 For example, laws requiring the reporting of infectious diseases or suspected cases of child abuse to
appropri-ate governmental agencies override confidentiality.
25 See 45 C.F.R. pt. 164 (2018) (security and privacy provision of the HIPAA Privacy Rule). See generally
Sharona Hoffman & Andy Podgurski,In Sickness, Health and Cyberspace: Protecting the Security of Electronic Private Health Information, 48 B.C. L. REV. 331 (2007); Nicolas P. Terry & Leslie P. Francis,Ensuring the Privacy and Confidentiality of Electronic Health Records, 2007 U. ILL. L. REV681 (2007).
26 See Ellen Wright Clayton & Bradley Malin,Assessing Risks to Privacy in Biospecimen Research, in SPECIMEN
SCIENCE: ETHICS ANDPOLICYIMPLICATIONS143 (Holly Fernandez Lynch et al. eds., 2017); Sara Renee Savage, Characterizing the Risks and Harms of Linking Genetic Information to Individuals, 15 IEEE SECURITY& PRIVACY
14, 16 (2017). For a further discussion, see Part VI-A.
27 Jennifer Kulynych & Henry T. Greely,Clinical Genomics, Big Data, and Electronic Medical Records: Reconciling
Patient Rights with Research When Privacy and Science Collide, J.L. & BIOSCIENCES94 (2017); Mark A. Roth-stein,Is Deidentification Sufficient to Protect Health Privacy in Research?, 10 AM. J. BIOETHICS3 (2010).
28 See generally SARAHE. IGO, THEKNOWNCITIZEN: A HISTORY OFPRIVACY INMODERNAMERICA(2018). 29 See, eg the Fair Credit Reporting Act of 1970, 15 U.S.C.§1681b (enumerating permissible disclosure of
people’s credit information and conditions for such disclosures); Privacy Act of 1974, 5 U.S.C.§552a(b) (requiring governmental agencies to seek consent prior to disclosure of people’s personal data stored in gov-ernmental databases, but then allowing various enumerated exceptions to the consent requirement); HIPAA Privacy Rule, 45 C.F.R.§164.512 (allowing unconsented use and disclosure of people’s health and genetic information for an enumerated list of purposes—such as public health, law enforcement and judicial uses, and research subject to IRB or privacy board approval).
many types of data. The PPSC’s 1977 report30acknowledged that unconsented uses of people’s data, under certain circumstances, can be ethically justified, but it cautioned that if data cannot be ‘totally protected’ against unconsented access by others, people face privacy risks and need to be able to access their data themselves in order to as-sess and manage those risks.31Accordingly, many privacy laws, both in the USA and elsewhere, offer individual access rights as a core part of their scheme of privacy protec-tions.32 As a practical matter, however, healthcare institutions do not always provide
patients with access to their medical records in a timely manner,33and patients often encounter difficulty amending errors in their records.34
II.B. Genetic Exceptionalism
One of the earliest controversies surrounding genetic privacy in the academic literature and policy domain was whether genetic information should be regarded as merely an-other type of health information or whether certain distinctive characteristics of genetic information demand separate and more protective treatment. Among the allegedly unique aspects of genetic information is the tremendous amount of information con-tained in DNA, its immutability, its potential use as a unique identifier, and its implica-tions for family members and others with a similar geographic ancestry.
Thomas Murray, recalling a debate in the 1980s about whether HIV information was unique (termed ‘HIV exceptionalism’), coined the term ‘genetic exceptionalism’ in reference to the controversy surrounding whether genetic information—at that time typically referring primarily to Mendelian or single-gene disorders—should be treated separately.35Murray also recognized that the main difference between genetic and non-genetic information is that many members of the public regard anything ‘non-genetic’ as spe-cial. ‘Genetic information is special because we are inclined to treat it as mysterious, as having exceptional potency or significance, not because it differs in some fundamental way from all other sorts of information about us’.36A practical problem with the
sepa-rate treatment of genetic information is the difficulty in defining and separating it from
30 PRIVACYPROTECTIONSTUDYCOMMISSION, PERSONALPRIVACY IN ANINFORMATIONSOCIETY(July, 1977),
https://www.ncjrs.gov/pdffiles1/Digitization/49602NCJRS.pdf(accessed Apr. 15, 2019).
31 Id. at 299.See Margaret O’Mara, The End of Privacy Began in the 1960s,N.Y. TIMES, Dec. 6, 2018, at A31 (stating
that as early as the 1960s Congress adopted the policy of pushing for data transparency, including sharing data with the person the data describe, rather than restrictions on sharing people’s data with third parties).
32 See, eg the Privacy Act of 1974, 5 U.S.C. 552a(d)(1) (granting an individual right of access to certain data
held in governmental databases); HIPAA Privacy Rule, 45 C.F.R.§164.524 (granting an individual right of access to certain data held by HIPAA-covered entities). See also European Union General Data Protection Regulation (Regulation (EU) 2016/679), Art. 15 (providing an individual access right).
33 See Carolyn T. Lye et al.,Assessment of US Hospital Compliance with Regulations for Patients’ Requests for
Medi-cal Records, 1 JAMA NETWORKOPEN. e183014 (2018), DOI:10.1001/jamanetworkopen.2018.3014 (finding widespread noncompliance with federal regulations by 83 hospitals studied).
34 Under the HIPAA Privacy Rule, individuals may request that their health records be revised or supplemented,
but covered entities are not required to do so. 45 C.F.R.§164.526. As a practical matter, covered entities often fail to grant such requests by patients.
35 Thomas H. Murray,Genetic Exceptionalism and ‘Future Diaries’: Is Genetic Information Different from Other
Medical Information?, in GENETICSECRETS: PROTECTINGPRIVACY ANDCONFIDENTIALITY IN THEGENETICERA
(Mark A. Rothstein ed., 1997). See also Nicolas P. Terry,Big Data Proxies and Health Privacy Exceptionalism, 24 HEALTHMATRIX65 (2014) (discussing the broader ‘health privacy exceptionalism’).
36 Murray,supranote 35, at 71. Although Mendelian conditions, especially Huntington disease, were cited
ex-tensively in the literature in the 1990s as justifying genetic exceptionalism, it is not a good example upon which to construct an approach to genetic ethics and policy. For example, few other genetic conditions share
other medical information in health records.37Separate treatment of genetic informa-tion also contributes to genetic reducinforma-tionism38and genetic determinism,39thereby in-creasing rather than reducing the seeming importance of genetic information and the stigma of genetic disorders.
As with other types of information in emerging medical fields, many of the prob-lems associated with the use of genetic information arise from two time lags. First is the time lag between the discovery of a genetic basis for a condition and the development of therapies to prevent, treat, or cure the disorder. Thus, genetic information may in-dicate a risk, such as for Alzheimer’s disease, about which little or nothing can be done to prevent or ameliorate the condition. Second is the time lag between a genetic test that identifies the increased risk of disease in a particular individual and the onset of symptoms. During this time period, when the individual is in medical limbo, numerous entities with an economic interest in the individual’s future health, such as various insur-ance companies, are inclined to use the genetic information to limit their risk. Neither of these characteristics is unique to genetics.
Although most commentators have been critical of genetic exceptionalism,40
virtu-ally all of the recent legislation enacted to deal with genetic privacy and genetic dis-crimination has been genetic-specific. One of the main reasons for this choice is that genetic-specific laws are necessarily narrower in scope and are thus more likely to gar-ner political support. For example, as early as the 1970s, a few states began enacting laws prohibiting some types of genetic discrimination in health insurance.41These laws provided additional protections to those afforded by state medical privacy laws, which
the characteristics of Huntington disease, which is an autosomal dominant, progressive, neurological disorder with nearly complete penetrance, adult onset, and usually resulting in death within 12 to 15 years of onset. Jean Paul G. Vansattel & Marian DiFiglia,Huntington Disease, 57 J. NEUROPATHOL. & EXP. NEUROL. 369, 369 (1998).
37 For example, family health history information often contains genetic information and is widely dispersed in
health records. Similarly, patients’ own histories may imply much about their genetic makeup.
38 ‘Genetic reductionism, understood ontologically, is the position that organisms consist of nothing but genes’.
Robert Wachboit,Genetic Determinism, Genetic Reductionism, and Genetic Essentialism, in 1 ENCYCLOPEDIA OF
ETHICAL, LEGAL,ANDPOLICYISSUES INBIOTECHNOLOGY353, 354 (Thomas H. Murray & Maxwell J. Mehlman, eds., 2000). See also Richard M. Lerner,Eliminating Genetic Reductionism from Developmental Science, 12 RES. HUMANDEV. 178 (2015).
39 ‘The phrase “genetic determinism” would, strictly speaking, mean that every event has a genetic cause that
is sufficient for that event’s occurring’. Wachbroit,supranote 38, at 353. See also Emily Willoughby et al., Free Will, Determinism, and Intuitive Judgments about the Heritability of Behavior,BEHAV. GENETICS(2018),
https://doi.org/10.1007/s10519-018-9931-1.
40 See Lawrence O. Gostin & James G. Hodge, Jr,Genetic Privacy and the Law: An End to Genetics Exceptionalism,
40 JURIMETRICSJ. 21, 23 (1999); Deborah Hellman,What Makes Genetic Discrimination Exceptional?, 29 AM. J.L. & MED. 77, 83 (2003); Trudo Lemmens,Selective Justice, Genetic Discrimination, and Insurance: Should We Single Out Genes in Our Laws?, 45 MCGILLL.J. 347, 369ffi76 (2002); Mark A. Rothstein & Mary R. Anderlik, What Is Genetic Privacy, and When and How Should It Be Prevented?, 3 GENETICSMED. 354 (2001); Sonia M. Suter,The Allure and Peril of Genetics Exceptionalism: Do We Need Special Genetics Legislation?, 79 WASH. U. L.Q. 669 (2001). For publications proposing separate treatment of genetics, see GEORGEJ. ANNAS ET AL., THEGENETICPRIVACYACT ANDCOMMENTARYpt. D,§131(e)(1)(B) (1995); Colin S. Diver & Jane Maslow Cohen,Genophobia: What Is Wrong with Genetic Discrimination?, 149 U. PA. L. REV. 1439, 1454ffi59 (2001); Robert M. Green & A. Mathew Thomas,DNA: Five Distinguishing Features for Policy Analysis, 11 HARV. J.L. & TECH. 571, 572 (1998).
41 In the 1970s, Florida, FLA. STAT.§448.075 (2018); Louisiana, LA. STAT. ANN.§§23:1001 to :1004 (2018); and
North Carolina, N.C. GEN. STAT.§95-28.1 (2018) enacted laws prohibiting genetic discrimination in health insurance. In 1981, New Jersey enacted a broader law prohibiting discrimination based on an individual’s
also have numerous exceptions.42Congress enacted the Genetic Information Nondis-crimination Act (GINA) in 2008,43but its prohibition against genetic discrimination in health insurance applies only to asymptomatic individuals. It was not until 2010 that Congress prohibited all health-based discrimination in health insurance when it enacted the Affordable Care Act.44This universally applicable nondiscrimination law provides comprehensive protections and avoids coverage gaps that characterize genetic nondiscrimination laws.
From a policy perspective, advocates and elected officials often have to decide whether to accept limited, genetic-specific legislation or to hold out for the possibility of a broader statute. On balance, less protective genetic laws are better than no legisla-tion at all only if the enactments provide some clear improvement over the status quo, are drafted carefully to avoid unintended consequences, including reifying genetic ex-ceptionalism, do not delay enactment of more comprehensive legislation, and are not presented to the public as a complete answer to the problem.45 Thus, advocates and policy-makers often are forced into an unappealing choice between limited, genetic-specific legislation or no legislation at all. Whether it is better to enact weak genetic privacy protections, as opposed to holding out for broader and more forceful privacy legislation, depends on several factors. For example, will passage of weak and incom-plete genetic privacy protections reduce pressure for the stronger protection or lull the public into a false belief that their genetic information is better protected than it actually is?
III. GENETIC INFORMATION IN HEALTHCARE
Genetic information connected to personal identifiers is generated and used in a vari-ety of contexts that may or may not be health-related—eg, clinical genetics, direct-to-consumer (DTC) testing,46and forensics.47Genetic information is an essential clinical
tool in an increasing number of medical specialties, including clinical genetics, oncol-ogy, obstetrics, neuroloncol-ogy, pediatrics, and behavioral health. As clinicians obtain, aggre-gate, store, use, and disclose more genetic information, there is a greater possibility of breaches of privacy, confidentiality, and security. Some scenarios where such breaches may occur include the following: (1) genetic information is disclosed to or accessed by healthcare providers without the authority or legitimate need to see it; (2) the scope of the genetic information obtained and disclosed is beyond that needed for a legiti-mate healthcare purpose; and (3) genetic information is used for a purpose unrelated
‘atypical hereditary cellular or blood type’, defined to include sickle cell trait, hemoglobin C trait, thalassemia trait, Tay Sachs trait, or cystic fibrosis trait. N.J. STAT. ANN.§10:5-5(y) (1981).
42 Leslie E. Wolf et al.,The Web of Legal Protections for Participants in Genomic Research(forthcoming 2019). 43 Pub. L. 110–233, 122 Stat. 881 (May 21, 2008), 42 U.S.C.§2000ff (2018).
44 42 U.S.C.§§18001–18122 (2018). The Health Insurance Portability and Accountability Act, initially enacted
in 1996, prohibited exclusion from employer-sponsored group health plans on the basis of genetic conditions, but its protection was limited by its failure to prohibit differential rates. Other laws, such as the Americans with Disabilities Act, also provide some protection to those who are severely affected by genetic disorders. Ellen W. Clayton,Why the Americans with Disabilities Act Matters for Genetics, 313 JAMA 2225, 2225–6 (2014).
45 Mark A. Rothstein,Genetic Exceptionalism and Legislative Pragmatism, 35 HASTINGSCTR. REP. 27, 31 (2005). 46 SeeinfraSection IV.
47 SeeinfraSection V. SeeinfraSection VI for a discussion of the issue of the use of data from identifiers that
have been removed.
to the disclosure.48Each of these, and many other situations in clinical settings, raises important legal and ethical issues.49
Uses and disclosures of health (including genetic) information in healthcare settings raise several issues, including whether consent or authorization is required, how much and what type of information can lawfully be disclosed, and which members of the treat-ment or research team should have access to which information. Whereas individuals are often concerned about discrimination when their health information is disclosed beyond healthcare settings, in healthcare settings their main concerns are protecting their privacy, autonomy, and dignity. Even though these concerns may seem abstract or indirect, many individuals regard them as very important, and concerns about these issues often influence a patient’s behavior and health outcomes, such as where patients limit disclosures of sensitive information to their healthcare providers to protect their privacy.50
III.A. HIPAA Privacy Rule
Most disclosures in healthcare settings are by ‘covered entities’ under the Health In-surance Portability and Accountability Act (HIPAA)51and its Privacy Rule.52HIPAA was enacted in 1996, primarily as an insurance statute, to facilitate the movement of employees from one employer to another without interruption or loss of employer-sponsored group health coverage for the employee or the employee’s dependents. Its role as privacy legislation was something of an afterthought. Congress added ‘Adminis-trative Simplification’ provisions53to HIPAA during the legislative process to mandate
the use of standard electronic formats in the submission of health insurance claims; these provisions addressed privacy only insofar as needed to minimize privacy risks re-lated to the electronic filing of insurance claims. Thus, the HIPAA statute gave the US Department of Health and Human Services (HHS) the jurisdiction to regulate entities that provide healthcare or pay for it (such as insurers) but gave HHS no jurisdiction to regulate the multitude of other private companies and institutions (eg drug manu-facturers, research institutions that provide no healthcare services, companies that sell fitness-tracking devices, DTC genetic testing services, and many others) that—in our current times—use and store people’s health and genetic data in ways that affect their privacy.
Congress understood that the HIPAA statute did not grant HHS the jurisdiction it really needed to be an effective health or genetic privacy regulator. Accordingly, HIPAA
48 As discussed below, under the HIPAA Privacy Rule, disclosures of protected health information for treatment
need not be limited in scope and do not require consent or authorization.
49 Improper disclosures and uses of genetic information also may take place in research settings, such as where
(1) genetic information is used for research without consent or beyond the bounds of the consent; (2) ge-netic information specifically stored in a deidentified form is reidentified without authorization or a legitimate purpose; (3) genetic information is used for research that is objectionable to the individual; and (4) genetic information is used for research with the potential to cause group harms.
50 See Andrea Gurmankin Levy et al., Prevalence of and Factors Associated with Patient
Nondisclo-sure of Medically Relevant Information to Clinicians, 1 JAMA NETW. OPEN. e185293 (2018), DOI:10.1001/jamanetworkopen.2018.5293 (reporting on a survey showing that various privacy con-cerns caused many patients to avoid telling clinicians information about their health).
51 42 U.S.C.§§300gg-300gg-2 (2018). 52 45 C.F.R. pts. 160, 162, 164 (2018).
53 See the HIPAA statute,§§261–264 (enacting a new part C of title IX of the Social Security Act).
envisioned that Congress would subsequently enact broad national health privacy legis-lation by August 21, 1999.54HIPAA gave HHS the authority to promulgate the HIPAA Privacy Rule only if Congress failed to legislate by that date.55 As events unfolded, Congress did not enact the new privacy legislation and it fell on HHS to do the best it could with the limited jurisdiction available under the HIPAA statute. Consequently, the Privacy Rule applies only to four types of HIPAA-covered entities involved in the payment chain of healthcare: (1) healthcare providers that transmit any health infor-mation in electronic form in connection with a covered transaction; (2) health plans, including a health insurer, HMO, Medicare or Medicaid program, or other entity that provides or pays the costs of medical care; (3) health clearinghouses, public or pri-vate entities, including a billing service or health information management system, that process health information into a standard format for billing purposes; and (4) busi-ness associates of these entities, including individuals or entities that perform or as-sist in billing, management, administration, or other functions regulated by the Privacy Rule.56The Privacy Rule was never intended to be a comprehensive health privacy reg-ulation, but it has assumed such a role by default because of Congress’s failure to enact more sweeping and rigorous health and genetic privacy laws and regulations.57
Other than a definitional provision58that Congress ordered HHS to add to the Pri-vacy Rule under GINA,59 a provision dealing with deidentification,60 and two
pro-visions dealing with health plans,61 the Privacy Rule does not contain any special
54 HIPAA statute,§264(c). 55 Id.
56 Id.§160.103.
57 The 2013 and 2014 amendments to the Privacy Rule incorporated provisions mandated by the Health
Infor-mation Technology for Economic and Clinical Health Act (HITECH Act), American Recovery and Reinvest-ment Act of 2009, Pub. L. No. 111-5, tit. XII, 123 Stat. 115, 203–226, and the Genetic Information Nondis-crimination Act (GINA). Another shortcoming of the Privacy Rule is that it does not provide for private actions to redress harms caused by violations. The Privacy Rule merely provides that a person who believes a covered entity is not complying with applicable requirements of the Privacy Rule may file a complaint with the Secretary of Health and Human Services. 45 C.F.R.§160.306 (2018).
58 45 C.F.R.§160.103 (2018).
59 See GINA§102 [amending the Public Health Service Act at 42 U.S.C.§300gg-91(d)(16) to define
‘ge-netic information’ very broadly as including ‘with respect to any individual, information about – (i) such in-dividual’s genetic tests, (ii) the genetic tests of family members of such individual, and (iii) the manifesta-tion of a disease or disorder in family members of such individual’ and further including ‘genetic services and participation in genetic research’]. See alsoid. at§300gg-91(d)(17) (defining ‘genetic test’ as meaning ‘an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes’ and thus clearly including non-clinically-significant information, such as raw genomic data, within the scope of information included in GINA’s definition of ‘genomic information’) and seeid. at§300gg-91(d)(18) [defining ‘genetic services’ as including genetic tests and ‘genetic counseling (includ-ing obtain(includ-ing, interpret(includ-ing, or assess(includ-ing genetic information)’ and genetic information, such that information from testing, assessing, and counseling occurring during the course of genetic research is included in GINA’s broad definition of ‘genetic information’] and see GINA§105 (adding a new§1180 to the Social Security Act, 42 U.S.C.A.§1320d-9, providing that ‘[t]he Secretary shall revise the HIPAA privacy regulation’ so that ‘[g]enetic information shall be treated as health information described in section 1320d(4)(B) of this title’, which was the section of the Social Security Act added by the 1996 HIPAA statute in which Congress defined the ‘health information’ that is subject to HIPAA’s privacy protections). And see GINA§105.
60 Id.§164.514(g).
61 Id.§164.502(a)(5)(i);§164.520(b)(1)(iii)(C).
provisions for genetic information.62Under GINA, genetic information is deemed to
be ‘health information’ that is protected by the Privacy Rule63 even if the genetic
in-formation is not clinically significant and would not be viewed as health inin-formation for other legal purposes. In other words, the Privacy Rule rejects genetic exceptional-ism and places genetic information under the ordinary protections of the HIPAA Pri-vacy Rule.64The Privacy Rule provides that a covered entity need not obtain consent or authorization from the individual for uses and disclosures of protected health infor-mation (PHI)65(individually identifiable health information) for treatment, payment,
or healthcare operations.66A covered entity is merely required to include information about its uses and disclosures in a notice of privacy practices provided to all individ-uals.67The Privacy Rule also has glaring gaps in its framework for keeping people
in-formed about who has been given access to their genetic information. For example, when a person’s genetic information is disclosed in a deidentified format, the Privacy Rule’s ‘accounting of disclosures’ provisions68do not require covered entities to tell the
individual about the disclosure, even though deidentified genetic information is poten-tially reidentifiable.
An important privacy-enhancing element of the Privacy Rule is the minimum neces-sary provision, which states that uses and disclosures of PHI for payment and healthcare operations must be limited to ‘the amount reasonably necessary to achieve the purpose of the disclosure’.69This provision, however, is not applicable to disclosures for
treat-ment.70Furthermore, for treatment, payment, and healthcare operations, there is no
requirement that covered entities use and disclose PHI in the least identifiable form consistent with legal requirements or the purpose of the use or disclosure.71
Besides the HIPAA Privacy Rule, several states have enacted ‘genetic privacy’ laws, which vary widely in their applicability and stringency. For example, some of these laws
62 Only psychotherapy notes receive special treatment in the Privacy Rule. Separately maintained notes of
pri-vate communication are not considered part of the designated record set that may be disclosed for treatment, payment, or healthcare operations.Id.§164.501.
63 See GINA§105,supranote 59.
64 Id.§164.103. See the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification
Rules, 78 FED. REG. 5566, 5661 (2013) (codified at 45 C.F.R. pts. 160, 164).
65 Protected health information generally includes individually identifiable health information. 45 C.F.R.§
160.103 (2018).
66 Id.§164.502(a)(1)(ii). The Privacy Rule defines treatment, payment, and healthcare operations quite
broadly, and therefore covered entities may use and disclose numerous types of PHI without consent or ad-ditional notice to the individual beyond the notice of privacy practices.
67 Id.§164.520.
68 45 C.F.R.§164.528 (2018). 69 Id.§164.514(d)(3)(i).
70 See Julie L. Agris,Extending the Minimum Necessary Standard to Uses and Disclosures for Treatment, 42 J.L.
MED. & ETHICS263, 264 (2014). Despite its manifest inadequacies, the Privacy Rule has some value, includ-ing the followinclud-ing: (1) it provides individuals with a right of access to their health records,id.§164.524, an especially valuable provision in states lacking similar state legislation; (2) it requires authorizations for uses and disclosures of PHI in fundraising,id.§164.514(f), marketing,id.§164.508(a)(3), and most research, id.§164.512(i); and (3) it has substantial symbolic value by declaring the importance of health information privacy and security, eg, banning healthcare providers from discussing patients’ health information in public areas.
71 See Mark A. Rothstein,The End of the HIPAA Privacy Rule?, 44 J.L. MED. & ETHICS352, 353 (2016)
(advo-cating for adoption of a ‘least identifiable form’ requirement under the Privacy Rule).
require informed consent for genetic testing, regulate access to genetic information, or provide that genetic information is the property of the individual.72
III.B. GINA
In 2008, after 13 years of contentious congressional deliberation, GINA was over-whelmingly passed by Congress and signed into law by President George W. Bush.73 Unlike other civil rights laws, GINA was not enacted to remedy ongoing discrimina-tion; rather, it was intended to preempt discrimination that was feared, but not well documented as yet occurring.74 Section 2(5) of GINA confirms that the purpose of the law is ‘to fully protect the public from discrimination and to allay their concerns about the potential for discrimination, thereby allowing individuals to take advantage of genetic testing, technologies, research, and new therapies’. GINA’s two main titles prohibit discrimination based on genetic information in health insurance (Title I) and employment (Title II), but the value of this legislation has been a source of some dis-pute.75
Although GINA is best known for its provisions prohibiting discrimination based on genetic information, it also contains provisions related to privacy. Section 202(b) of GINA prohibits employers from requesting, requiring, or purchasing genetic infor-mation with respect to an employee (including an applicant) or a family member of the employee. Similar provisions limiting the acquisition of genetic information are in-cluded in Title I dealing with nondiscrimination in health insurance and health benefit plans.76
Section 105 of GINA also provides that genetic information—as broadly defined by GINA77—‘shall be treated as health information’ under HIPAA, thereby extending the
HIPAA Privacy Rule to genetic information regardless of whether it is ‘health informa-tion in the ordinary sense of this word’.78This seeming expansion of the Privacy Rule is
72 Genome Statute and Regulation Database, NAT’LHUM. GENOMERES. INST. (NHGRI),https://www.genome.
gov/policyethics/legdatabase/pubsearchresult.cfm(accessed Nov. 2, 2018).
73 42 U.S.C.§2000ff.
74 See Jessica L. Roberts,Preempting Discrimination: Lessons from the Genetic Information Nondiscrimination Act,
63 VAND. L. REV. 439 (2010).
75 See Mark A. Rothstein,GINA at Ten and the Future of Genetic Nondiscrimination Law, 48 HASTINGSCTR. REP.
No. 3, at 5 (2018).
76 GINA, Pub. L. No. 110-233,§101(d), 122 Stat. 881, 884–5 (2008) (prohibiting acquisition of genetic
infor-mation by ERISA-qualified health plans);§102(d)(2)(A), 122 Stat. at 896 (prohibiting acquisition of genetic information by group health plans or group health insurers);§102(d)(2)(B), 122 Stat. at 896 (prohibiting acquisition of genetic information in individual health insurance);§103(d), 122 Stat. at 898–9 (amending the Internal Revenue Code to prohibit acquisition of genetic information with regard to group premiums);§ 104(b)(2), 122 Stat. at 901 (prohibiting acquisition of genetic information in regard to Medigap policies).
77 GINA§102,supranote 59.
78 The original HIPAA Privacy Rule, which became effective in 2003–04, only protected ‘health information’ as
defined by Section 1171 of the Social Security Act, 42 U.S.C.A.§1320d(4). This implied that genetic infor-mation was protected by the Privacy Rule if it was ‘(A)created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(B)relates to the past, present, or future physical or mental health or condition of an individual, the provi-sion of health care to an individual, or the past, present, or future payment for the proviprovi-sion of health care to an individual’. Non-medical genetic information (such as forensic identifiers or variant data having no es-tablished clinical significance) seemingly was not protected by the Privacy Rule. When Congress enacted GINA, Congress defined ‘genetic information’ broadly, as discussed earlier in note 59. See the Public Health Service Act§ 2791(d)(16), codified at 42 U.S.C. 300gg–91(d)(16) (defining genetic information as
subject to important limitations. First, as noted above, the Privacy Rule only applies to covered entities in the healthcare payment chain, and it does not apply to many other entities that acquire, store, use, or disclose genetic information, such as insurers other than health insurers. It also does not generally apply to DTC genetic testing companies, including ancestry testing companies. The second limitation is that the Privacy Rule no-toriously contains numerous exceptions to its individual authorization requirements, discussed below. Third, many observers view its protections as inadequate because it is enforceable only by HHS’s Office for Civil Rights and does not create a private right of action on behalf of the person whose data are disclosed.79Therefore, the nominal pri-vacy protection afforded to genetic information in the possession of HIPAA-covered entities does not fully address the need for genetic privacy protections.
III.C. ACMG List
One of the most controversial issues surrounding disclosure of genetic information in healthcare settings involves what genetic information healthcare providers (eg clinical geneticists, genetic counselors) can and should look for and share with their patients beyond that needed to address the patients’ immediate clinical question. A key issue is whether there is a professional obligation to provide secondary findings of genome sequencing for a predetermined set of gene variants. The American College of Med-ical Genetics and Genomics (ACMG) originally adopted the position that, because of the significance of certain results, it is mandatory that professionals performing the sequencing, interpretation, or disclosure of the results in clinical settings include 57 medically actionable genes, regardless of the wishes of the patient or ordering physi-cian, or their pertinence to the patient’s clinical problem.80This position was widely criticized as violating patient autonomy and clinician discretion.81The ACMG subse-quently amended its policy to provide that patients could decline to receive secondary results.82
III.D. Informing At-Risk Relatives
A related issue involves the ethical and legal obligations of clinicians to offer informa-tion about a patient’s diagnosis of a gene-mediated disorder or the results of a genetic
including information about a person’s genetic tests, tests of family members, and manifest disease in family members, and including genetic services and participation in genetic research). GINA added a new Section 1180 to the Social Security Act, 42 U.S.C.A.§1320d-9, which deems all such ‘genetic information’ to meet the definition of ‘health information’, for purposes of the HIPAA Privacy Rule. After GINA, even non-clinically significant genetic information, such as forensic data, is treated as ‘health information’ for purposes of be-ing protected under the Privacy Rule, even if it would not be considered ‘health information’ in other legal contexts.
79 45 C.F.R.§160.306 (2018). See also Acara v. Banks, 470 F.3d 569, 571-72 (5th Cir. 2006) (holding, in the
first federal appellate decision to address this issue, that the Privacy Rule does not create a private right of action).
80 Robert C. Green et al.,ACMG Recommendations for Reporting of Incidental Findings in Clinical Exome and
Genome Sequencing, 15 GENETICSMED. 565, 569–573 (2013).
81 See Wylie Burke et al.,Recommendations for Returning Genomic Incidental Findings? We Need to Talk!, 15
GENETICSMED. 854, 855 (2013); Lainie F. Ross et al.,Mandatory Extended Searches in All Genome Sequencing: “Incidental Findings,” Patient Autonomy, and Shared Decision Making, 310 JAMA 367, 368 (2013).
82 S. S. Kalia et al.,Recommendations for Reporting of Secondary Findings in Clinical Exome and Genome Sequencing,
2016 Update (ACMG SFv.2.0): A Policy Statement of the American College of Medical Genetics and Genomics, 19 GENETICSMED. 249, 250 (2017).
test to at-risk family members. There is widespread agreement that clinicians should advise their patients about the importance for their relatives of significant diagnostic or predictive genetic information. Ideally, the clinician would encourage disclosure and offer to assist the patient in this process, but there has been disagreement about whether clinicians have a duty to contact and offer the results to relatives when the patient re-fuses and does not authorize the clinician to contact them. A much-discussed judicial opinion suggested that there might be a legal duty for a physician to make these disclo-sures to a patient’s relatives,83and a guidance document from the American Society of Human Genetics stated that disclosure is appropriate in certain highly unusual circum-stances.84Nevertheless, both of these sources predated the 2003 compliance date of the
HIPAA Privacy Rule, which prohibits nonconsensual disclosure of genetic information to relatives of a patient.85Furthermore, imposing such a duty might discourage individ-uals from obtaining genetic testing, cause an irreparable rift between patients and their healthcare provider, prove to be burdensome and infeasible in identifying and contact-ing the patient’s relatives, and result in harm by offercontact-ing to disclose sensitive health in-formation that the relatives might not want to receive. Therefore, as a matter of ethics and law, clinicians are neither required nor permitted to inform the genetically at-risk relatives of their patients without the consent or authorization of their patient or their
83 Safer v. Estate of Pack, 677 A.2d 1188 (N.J. Super. Ct. App. Div.),cert. denied, 683 A.2d 1163 (N.J. 1996). The
holding in this case has never been cited with approval and was severely limited by the New Jersey legislature. See N.J. REV. STAT.§10:5-47 (2018).
84 American Society of Human Genetics Social Issues Subcommittee on Familial Disclosure,Professional
Disclo-sure of Familial Genetic Information, 62 AM. J. HUM. GENETICS474, 474 (1998). The exceptional circumstances justifying an otherwise impermissible disclosure are described as follows: Disclosure should be permissible where attempts to encourage disclosure on the part of the patient have failed; where the harm is highly likely to occur and is serious and foreseeable; where the at-risk relative (s) is identifiable; and where either the dis-ease is preventable/treatable or medically accepted standards indicate that early monitoring will reduce the genetic risk.Id.at 474.
85 The HIPAA Privacy Rule contains an exception that permits the following disclosure: ‘Uses and disclosures to
avert a serious threat to health or safety’. 45 C.F.R.§164.512(j) (2018). This provision was intended to apply to situations, such as theTarasoffcase, where an individual disclosed to his psychotherapist that he intended to kill a female acquaintance. Tarasoff v. Regents of the Univ. of Cal., 551 P.2d 334, 339 (Cal. 1976). See Office for Civil Rights, Department of Health and Human Services, FAQ: Does HIPAA permit a doctor to contact a patient’s family or law enforcement if the doctor believes that the patient might hurt herself or someone else? https://www.hhs.gov/hipaa/for-professionals/faq/2096/does-hipaa-permit-doctor-contact-patients-family-or-law-enforcement-if-doctor-believes-patient.html. (‘The Privacy Rule permits a healthcare provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others’.). See also Mark A. Rothstein,Tarasoff Duties after Newtown,42 J.L. MED. & ETHICS104 (2014). Therefore, the ‘serious threat to health or safety’ exception does not apply to warnings by a healthcare provider to a patient’s relatives regarding their genetic risk. In 2013, the Office for Civil Rights of the Department of Health and Hu-man Services issued the following interpretation: ‘Health care providers may share genetic information about an individual with providers treating family members of the individual who are seeking to identify their own genetic risks, provided that the individual has not agreed to a restriction on such disclosure’. Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules, 78 FED. REG. 5566, 5668 (2013). Although this interpretation permits the release of sensitive information without the consent of the patient, the interpretation is limited. Healthcare providers are not required to make such disclosures, and they may make them only to another healthcare provider, and only in response to an inquiry by another healthcare provider.
patient’s personal representative.86The disclosure of research results raises similar
is-sues.87
IV. GENETIC INFORMATION IN DTC GENETIC TESTING
Outside the healthcare setting, millions of people now obtain DTC genetic testing for a wide range of purposes, some of which can impinge on their privacy interests or the privacy interests of others. Companies now purport to provide genetic insights into health, ancestry and genealogy, family relationships, and lifestyle choices.88They offer advice about using genetic test results to guide choices about food and dieting, selec-tion of sports purportedly based on physiologic traits correlated with athletic ability, or even how to pick a partner or where to travel. The majority of these companies do their own genetic testing, but a few ask customers to upload test results they have obtained elsewhere for further analysis.
The most prevalent categories of DTC genetic tests consist of those designed to pro-vide insights into ancestry and family relationships.89Although some people seek pri-marily to learn about their ancestral origins, others hope to find blood relatives whom they had not previously known about. Still others have desires that may be more dis-ruptive, such as to identify the birth parents of a child who was adopted, or a gamete donor,90which may lead to unwanted contact,91or to identify the parentage of a child,
which may be done surreptitiously and the results of which can have significant legal consequences for children and adults. All of these efforts to define biological relation-ships require people to share their genetic data.
Companies are also beginning to provide genetic tests that can be broadly under-stood as health-related, directly to the consumer and without the involvement of a healthcare provider. Recent regulatory developments have been driven largely by the Food and Drug Administration (FDA) and 23andMe, which became the first company authorized to market a DTC carrier test for Bloom Syndrome in 2015.9223andMe sub-sequently obtained authorization to market Genetic Health Risk (GHR) tests for 10
86 See Mark A. Rothstein,Reconsidering the Duty to Warn Genetically At-Risk Relatives, 19 GENETICSMED. 285,
288–9 (2018).
87 See R.R. Fabsitz et al.,Ethical and Practical Guidelines for Reporting Research Results to Study Participants:
Up-dated Guidelines from a National Heart, Lung, and Blood Institute Working Group, 3 CIRC. & CARDIOVASC. GENET. 574, 574ffi580 (2010); Susan M. Wolf et al.,Returning a Research Participant’s Genomic Results to Rel-atives: Analysis and Recommendations, 43 J.L. MED. & ETHICS440, 445–6, 451 (2015).
88 See James W. Hazel & Christopher Slobogin,Who Knows What, and When?: A Survey of the Privacy Policies
Proffered by U.S. Direct-to-Consumer Genetic Testing Companies, 28 CORNELLJ.L. & PUB. POL’Y35, 47 (2018); Andelka M. Phillips,Only a Click Away—DTC Genetics for Ancestry, Health, Love...and More: A View of the Business and Regulatory Landscape, 8 APPL. & TRANSL. GENOM. 16, 16–9 (2016).
89 Id.
90 ROSANNAHERTZ& MARGARETK. NELSON, RANDOMFAMILIES: GENETICSTRANGERS, SPERMDONORSIBLINGS, AND THECREATION OFNEWKIN(2019).
91 Woman Uses DNA Test, Finds Sperm Donor – and Pays a ‘Devastating’ Price(CBS News 31 Jan. 2019),
https://www.cbsnews.com/news/woman-finds-sperm-donor-after-using-dna-test-raising-questions-about-donor-anonymity/(accessed Mar. 11, 2019) (woman sued by the sperm bank for breach of contract by accidentally identifying the donor).
92 Press Release,FDA Permits Marketing of First Direct-to-Consumer Genetic Carrier Test for Bloom Syndrome
(FDA, Feb. 19, 2015),https://wayback.archive-it.org/7993/20170111191740/http://www.fda.gov/News Events/Newsroom/PressAnnouncements/ucm435003.htm(accessed Apr. 15, 2019).
conditions in 2017, including Parkinson’s disease and late-onset Alzheimer’s disease,93 followed by a GHR report for selected variants of BRCA1/BRCA2 in 2018.94Under this new regulatory approach, the FDA ‘intends to exempt additional 23andMe GHR tests from the FDA’s premarket review, and GHR tests from other makers may be ex-empt after submitting their first premarket notification [...] allow[ing] other, similar tests to enter the market as quickly as possible and in the least burdensome way, af-ter a one-time FDA review’.95Most recently, in October of 2018, the FDA authorized
23andMe to market a Pharmacogenetic (PGx) Reports test that detects 33 genetic vari-ants associated with medication metabolism (eg response to certain antidepressvari-ants and cardiac medications), imposing a warning label requirement designed to inform consumers that they should not make any changes to their medications based on the results.96
A 2017 study of 90 DTC-GT companies operating within the USA sheds light on the information that these companies provide to consumers about their genetic data practices.97Although industry leaders generally had fairly comprehensive policies,
al-most 40% of the companies surveyed (35 of 90) provided no information to consumers about their genetic data practices, including the fate of biological samples or the result-ing genetic data. Of the 55 companies with policies governresult-ing genetic data, just over half stated what information would be shared with the testing laboratory or what pro-cedures, if any, were used to safeguard the information. Only half discussed whether the sample would be stored or not, a number of which had a policy of retaining the physical sample (eg a saliva sample, cheek swab, or the extracted DNA). In addition, many indi-cated that they would retain any genetic data generated from these samples indefinitely. While most policies made vague guarantees or assurances about data security, very few provided specific details, and almost none stated that they would notify customers in the event of a breach.
Policies also varied in terms of what information was provided regarding ownership and commercialization of genetic data. Many companies did not explicitly claim own-ership of a consumer’s DNA, but they often retained broad rights to commercialize the resulting data. Of the 55 companies with policies governing genetic data, nearly half (23 companies) had policies with provisions that indicated data would (or might) be shared with third parties, yet none provided an exhaustive list. Eighteen explicitly stated that they would share deidentified data with third parties without further consent. Ten companies allowed participants to opt-in for sharing data with outside researchers,
93 Press Release, FDA Allows Marketing of First Direct-to-Consumer Tests that Provide Genetic Risk
In-formation for Certain Conditions (FDA, Apr. 6, 2017), https://www.fda.gov/newsevents/newsroom/ pressannouncements/ucm551185.htm(accessed Apr. 15, 2019).
94 Press Release,FDA Authorizes, with Special Controls, Direct-to-Consumer Test that Reports Three Mutations
in the BRCA Breast Cancer Genes(FDA, Mar. 6, 2018),https://www.fda.gov/NewsEvents/Newsroom/ PressAnnouncements/ucm599560.htm(accessed Apr. 15, 2019).
95 Press Release,Statement from FDA Commissioner Scott Gottlieb, M.D., on Implementation of Agency’s
Stream-lined Development and Review Pathway for Consumer Tests that Evaluate Genetic Health Risks (FDA, Nov. 6, 2017),https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm583885.htm (ac-cessed Apr. 15, 2019).
96 Press Release,FDA Authorizes First Direct-to-Consumer Test for Detecting Genetic Variants that May Be
Associated with Medication Metabolism(FDA, Oct. 31, 2018),https://www.fda.gov/NewsEvents/Newsroom /PressAnnouncements/ucm624753.htm(accessed Apr. 15, 2019).
97 Hazel & Slobogin,supranote 88, at 48–57.
